Cyber Mayhem – Attackers Actively Exploit Vulnerable Confluence Servers, while 500,000 Fortinet VPNs See Passwords Leaked

Last week was all about patching severe zero-days in leading products from Atlassian Confluence to Fortinet devices to Microsoft Office—all of which are being actively exploited.

These vulnerabilities are:

  • CVE-2021-26084: a critical OGNL vulnerability in Atlassian Confluence and Data Center
  • CVE-2021-40444: an MSHTML Remote Code Execution vulnerability in Microsoft Office
  • CVE-2018-13379: years old Path Traversal flaw in Fortinet VPN firewall devices. The vulnerability has previously been and continues to be exploited to date.

The Confluence of Cryptominers

On August 25th this year, Atlassian released a security advisory on the recently patched OGNL-based remote code execution vulnerability affecting its Confluence and Data Center products. Within a week, however, proof-of-concept (PoC) exploits began emerging from different security researchers [1, 2, 3]. And soon enough, adversaries began their mass scanning activities and actively exploiting this vulnerability.

Soon enough, Jenkins announced attackers had breached their Confluence server to install crypto-mining malware, and an incident response investigation was started.

“Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service. From there an attacker would not be able to access much of our other infrastructure,” stated Jenkins in a blog post

As of now, the Jenkins infrastructure team permanently disabled the Confluence service, rotated credentials, and implemented further protective measures to safeguard the infrastructure.

But, analysis by OSINT firm Censys suggests over 8,000 internet-facing Confluence servers remain vulnerable around the world. Atlassian customers should refer to their security advisory and upgrade their Confluence and Data Center products to fixed versions ASAP.

Fortunately, Sonatype’s Ops and Information Security teams have been proactive and stayed on top of the development. As soon as the security advisory was shared by Confluence (Read more…)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/cyber-mayhem-attackers-actively-exploit-vulnerable-confluence-servers